1.\" $NetBSD: krb5_get_init_creds.3,v 1.2 2017/01/28 21:31:49 christos Exp $ 2.\" 3.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd Sep 16, 2006 37.Dt KRB5_GET_INIT_CREDS 3 38.Os 39.Sh NAME 40.Nm krb5_get_init_creds , 41.Nm krb5_get_init_creds_keytab , 42.Nm krb5_get_init_creds_opt , 43.Nm krb5_get_init_creds_opt_alloc , 44.Nm krb5_get_init_creds_opt_free , 45.Nm krb5_get_init_creds_opt_init , 46.Nm krb5_get_init_creds_opt_set_address_list , 47.Nm krb5_get_init_creds_opt_set_addressless , 48.Nm krb5_get_init_creds_opt_set_anonymous , 49.Nm krb5_get_init_creds_opt_set_default_flags , 50.Nm krb5_get_init_creds_opt_set_etype_list , 51.Nm krb5_get_init_creds_opt_set_forwardable , 52.Nm krb5_get_init_creds_opt_set_pa_password , 53.Nm krb5_get_init_creds_opt_set_paq_request , 54.Nm krb5_get_init_creds_opt_set_preauth_list , 55.Nm krb5_get_init_creds_opt_set_proxiable , 56.Nm krb5_get_init_creds_opt_set_renew_life , 57.Nm krb5_get_init_creds_opt_set_salt , 58.Nm krb5_get_init_creds_opt_set_tkt_life , 59.Nm krb5_get_init_creds_opt_set_canonicalize , 60.Nm krb5_get_init_creds_opt_set_win2k , 61.Nm krb5_get_init_creds_password , 62.Nm krb5_prompt , 63.Nm krb5_prompter_posix 64.Nd Kerberos 5 initial authentication functions 65.Sh LIBRARY 66Kerberos 5 Library (libkrb5, -lkrb5) 67.Sh SYNOPSIS 68.In krb5/krb5.h 69.Pp 70.Ft krb5_get_init_creds_opt; 71.Pp 72.Ft krb5_error_code 73.Fo krb5_get_init_creds_opt_alloc 74.Fa "krb5_context context" 75.Fa "krb5_get_init_creds_opt **opt" 76.Fc 77.Ft void 78.Fo krb5_get_init_creds_opt_free 79.Fa "krb5_context context" 80.Fa "krb5_get_init_creds_opt *opt" 81.Fc 82.Ft void 83.Fo krb5_get_init_creds_opt_init 84.Fa "krb5_get_init_creds_opt *opt" 85.Fc 86.Ft void 87.Fo krb5_get_init_creds_opt_set_address_list 88.Fa "krb5_get_init_creds_opt *opt" 89.Fa "krb5_addresses *addresses" 90.Fc 91.Ft void 92.Fo krb5_get_init_creds_opt_set_addressless 93.Fa "krb5_get_init_creds_opt *opt" 94.Fa "krb5_boolean addressless" 95.Fc 96.Ft void 97.Fo krb5_get_init_creds_opt_set_anonymous 98.Fa "krb5_get_init_creds_opt *opt" 99.Fa "int anonymous" 100.Fc 101.Ft void 102.Fo krb5_get_init_creds_opt_set_change_password_prompt 103.Fa "krb5_get_init_creds_opt *opt" 104.Fa "int change_password_prompt" 105.Fc 106.Ft void 107.Fo krb5_get_init_creds_opt_set_default_flags 108.Fa "krb5_context context" 109.Fa "const char *appname" 110.Fa "krb5_const_realm realm" 111.Fa "krb5_get_init_creds_opt *opt" 112.Fc 113.Ft void 114.Fo krb5_get_init_creds_opt_set_etype_list 115.Fa "krb5_get_init_creds_opt *opt" 116.Fa "krb5_enctype *etype_list" 117.Fa "int etype_list_length" 118.Fc 119.Ft void 120.Fo krb5_get_init_creds_opt_set_forwardable 121.Fa "krb5_get_init_creds_opt *opt" 122.Fa "int forwardable" 123.Fc 124.Ft krb5_error_code 125.Fo krb5_get_init_creds_opt_set_pa_password 126.Fa "krb5_context context" 127.Fa "krb5_get_init_creds_opt *opt" 128.Fa "const char *password" 129.Fa "krb5_s2k_proc key_proc" 130.Fc 131.Ft krb5_error_code 132.Fo krb5_get_init_creds_opt_set_paq_request 133.Fa "krb5_context context" 134.Fa "krb5_get_init_creds_opt *opt" 135.Fa "krb5_boolean req_pac" 136.Fc 137.Ft krb5_error_code 138.Fo krb5_get_init_creds_opt_set_pkinit 139.Fa "krb5_context context" 140.Fa "krb5_get_init_creds_opt *opt" 141.Fa "const char *cert_file" 142.Fa "const char *key_file" 143.Fa "const char *x509_anchors" 144.Fa "int flags" 145.Fa "char *password" 146.Fc 147.Ft void 148.Fo krb5_get_init_creds_opt_set_preauth_list 149.Fa "krb5_get_init_creds_opt *opt" 150.Fa "krb5_preauthtype *preauth_list" 151.Fa "int preauth_list_length" 152.Fc 153.Ft void 154.Fo krb5_get_init_creds_opt_set_proxiable 155.Fa "krb5_get_init_creds_opt *opt" 156.Fa "int proxiable" 157.Fc 158.Ft void 159.Fo krb5_get_init_creds_opt_set_renew_life 160.Fa "krb5_get_init_creds_opt *opt" 161.Fa "krb5_deltat renew_life" 162.Fc 163.Ft void 164.Fo krb5_get_init_creds_opt_set_salt 165.Fa "krb5_get_init_creds_opt *opt" 166.Fa "krb5_data *salt" 167.Fc 168.Ft void 169.Fo krb5_get_init_creds_opt_set_tkt_life 170.Fa "krb5_get_init_creds_opt *opt" 171.Fa "krb5_deltat tkt_life" 172.Fc 173.Ft krb5_error_code 174.Fo krb5_get_init_creds_opt_set_canonicalize 175.Fa "krb5_context context" 176.Fa "krb5_get_init_creds_opt *opt" 177.Fa "krb5_boolean req" 178.Fc 179.Ft krb5_error_code 180.Fo krb5_get_init_creds_opt_set_win2k 181.Fa "krb5_context context" 182.Fa "krb5_get_init_creds_opt *opt" 183.Fa "krb5_boolean req" 184.Fc 185.Ft krb5_error_code 186.Fo krb5_get_init_creds 187.Fa "krb5_context context" 188.Fa "krb5_creds *creds" 189.Fa "krb5_principal client" 190.Fa "krb5_prompter_fct prompter" 191.Fa "void *prompter_data" 192.Fa "krb5_deltat start_time" 193.Fa "const char *in_tkt_service" 194.Fa "krb5_get_init_creds_opt *options" 195.Fc 196.Ft krb5_error_code 197.Fo krb5_get_init_creds_password 198.Fa "krb5_context context" 199.Fa "krb5_creds *creds" 200.Fa "krb5_principal client" 201.Fa "const char *password" 202.Fa "krb5_prompter_fct prompter" 203.Fa "void *prompter_data" 204.Fa "krb5_deltat start_time" 205.Fa "const char *in_tkt_service" 206.Fa "krb5_get_init_creds_opt *in_options" 207.Fc 208.Ft krb5_error_code 209.Fo krb5_get_init_creds_keytab 210.Fa "krb5_context context" 211.Fa "krb5_creds *creds" 212.Fa "krb5_principal client" 213.Fa "krb5_keytab keytab" 214.Fa "krb5_deltat start_time" 215.Fa "const char *in_tkt_service" 216.Fa "krb5_get_init_creds_opt *options" 217.Fc 218.Ft int 219.Fo krb5_prompter_posix 220.Fa "krb5_context context" 221.Fa "void *data" 222.Fa "const char *name" 223.Fa "const char *banner" 224.Fa "int num_prompts" 225.Fa "krb5_prompt prompts[]" 226.Fc 227.Sh DESCRIPTION 228Getting initial credential ticket for a principal. 229That may include changing an expired password, and doing preauthentication. 230This interface that replaces the deprecated 231.Fa krb5_in_tkt 232and 233.Fa krb5_in_cred 234functions. 235.Pp 236If you only want to verify a username and password, consider using 237.Xr krb5_verify_user 3 238instead, since it also verifies that initial credentials with using a 239keytab to make sure the response was from the KDC. 240.Pp 241First a 242.Li krb5_get_init_creds_opt 243structure is initialized 244with 245.Fn krb5_get_init_creds_opt_alloc 246or 247.Fn krb5_get_init_creds_opt_init . 248.Fn krb5_get_init_creds_opt_alloc 249allocates a extendible structures that needs to be freed with 250.Fn krb5_get_init_creds_opt_free . 251The structure may be modified by any of the 252.Fn krb5_get_init_creds_opt_set 253functions to change request parameters and authentication information. 254.Pp 255If the caller want to use the default options, 256.Dv NULL 257can be passed instead. 258.Pp 259The the actual request to the KDC is done by any of the 260.Fn krb5_get_init_creds , 261.Fn krb5_get_init_creds_password , 262or 263.Fn krb5_get_init_creds_keytab 264functions. 265.Fn krb5_get_init_creds 266is the least specialized function and can, with the right in data, 267behave like the latter two. 268The latter two are there for compatibility with older releases and 269they are slightly easier to use. 270.Pp 271.Li krb5_prompt 272is a structure containing the following elements: 273.Bd -literal 274typedef struct { 275 const char *prompt; 276 int hidden; 277 krb5_data *reply; 278 krb5_prompt_type type 279} krb5_prompt; 280.Ed 281.Pp 282.Fa prompt 283is the prompt that should shown to the user 284If 285.Fa hidden 286is set, the prompter function shouldn't echo the output to the display 287device. 288.Fa reply 289must be preallocated; it will not be allocated by the prompter 290function. 291Possible values for the 292.Fa type 293element are: 294.Pp 295.Bl -tag -width Ds -compact -offset indent 296.It KRB5_PROMPT_TYPE_PASSWORD 297.It KRB5_PROMPT_TYPE_NEW_PASSWORD 298.It KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 299.It KRB5_PROMPT_TYPE_PREAUTH 300.It KRB5_PROMPT_TYPE_INFO 301.El 302.Pp 303.Fn krb5_prompter_posix 304is the default prompter function in a POSIX environment. 305It matches the 306.Fa krb5_prompter_fct 307and can be used in the 308.Fa krb5_get_init_creds 309functions. 310.Fn krb5_prompter_posix 311doesn't require 312.Fa prompter_data. 313.Pp 314If the 315.Fa start_time 316is zero, then the requested ticket will be valid 317beginning immediately. 318Otherwise, the 319.Fa start_time 320indicates how far in the future the ticket should be postdated. 321.Pp 322If the 323.Fa in_tkt_service 324name is 325.Dv non-NULL , 326that principal name will be 327used as the server name for the initial ticket request. 328The realm of the name specified will be ignored and will be set to the 329realm of the client name. 330If no in_tkt_service name is specified, 331krbtgt/CLIENT-REALM@CLIENT-REALM will be used. 332.Pp 333For the rest of arguments, a configuration or library default will be 334used if no value is specified in the options structure. 335.Pp 336.Fn krb5_get_init_creds_opt_set_address_list 337sets the list of 338.Fa addresses 339that is should be stored in the ticket. 340.Pp 341.Fn krb5_get_init_creds_opt_set_addressless 342controls if the ticket is requested with addresses or not, 343.Fn krb5_get_init_creds_opt_set_address_list 344overrides this option. 345.Pp 346.Fn krb5_get_init_creds_opt_set_anonymous 347make the request anonymous if the 348.Fa anonymous 349parameter is non-zero. 350.Pp 351.Fn krb5_get_init_creds_opt_set_default_flags 352sets the default flags using the configuration file. 353.Pp 354.Fn krb5_get_init_creds_opt_set_etype_list 355set a list of enctypes that the client is willing to support in the 356request. 357.Pp 358.Fn krb5_get_init_creds_opt_set_forwardable 359request a forwardable ticket. 360.Pp 361.Fn krb5_get_init_creds_opt_set_pa_password 362set the 363.Fa password 364and 365.Fa key_proc 366that is going to be used to get a new ticket. 367.Fa password 368or 369.Fa key_proc 370can be 371.Dv NULL 372if the caller wants to use the default values. 373If the 374.Fa password 375is unset and needed, the user will be prompted for it. 376.Pp 377.Fn krb5_get_init_creds_opt_set_paq_request 378sets the password that is going to be used to get a new ticket. 379.Pp 380.Fn krb5_get_init_creds_opt_set_preauth_list 381sets the list of client-supported preauth types. 382.Pp 383.Fn krb5_get_init_creds_opt_set_proxiable 384makes the request proxiable. 385.Pp 386.Fn krb5_get_init_creds_opt_set_renew_life 387sets the requested renewable lifetime. 388.Pp 389.Fn krb5_get_init_creds_opt_set_salt 390sets the salt that is going to be used in the request. 391.Pp 392.Fn krb5_get_init_creds_opt_set_tkt_life 393sets requested ticket lifetime. 394.Pp 395.Fn krb5_get_init_creds_opt_set_canonicalize 396requests that the KDC canonicalize the client principal if possible. 397.Pp 398.Fn krb5_get_init_creds_opt_set_win2k 399turns on compatibility with Windows 2000. 400.Sh SEE ALSO 401.Xr krb5 3 , 402.Xr krb5_creds 3 , 403.Xr krb5_verify_user 3 , 404.Xr krb5.conf 5 , 405.Xr kerberos 8 406